Double ACL term

Unanswered Question
Oct 8th, 2008


Can anyone tell me what Cisco means when then said "Double ACL scenario".

Does they means that the packet pass in the standard ACL and then pass in the CBAC dynamic ACL ?

Thank you very much for your help

p.s. It's regarding a possible related bug on my cisco routeur : CSCsr15518

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Giuseppe Larosa Wed, 10/08/2008 - 13:14

Hello Martin,

the bug detailed info is not accessible outside Cisco at the moment.

May you describe your issue and your current config in order to get better help ?

Hope to help


martindesrosiers Thu, 10/09/2008 - 06:13

Here is the bug detail that I printed out before it become unavailable outside Cisco :

CSCsr15518 Bug Details

Packet drops in cef switching while enabling double ACL

The Fast counter validation failed in cef switching after applying Double ACL.


This failure occurred in Double ACL scenario.




Our network is a DMVPN network

Hubs router that may be affected with the bug are configured like this :

- Wan interface with inbound extended ACL that deny everything except "ESP", "GRE", "ISAKMP", "established tcp session" etc. We have also an outbound ip inspect policy.

- Tunnel interface (linked with the WAN interface).

martindesrosiers Thu, 10/09/2008 - 06:14

Sorry, I also have cef switching activated on my wan and tunnel interface.

Thank you very much :)

Giuseppe Larosa Thu, 10/09/2008 - 06:32

Hello Martin,

I would consider to disable CEF on the wan interface to see if the behaviour changes

Hope to help


martindesrosiers Thu, 10/09/2008 - 07:07

I'll probably disable it like you say. But I can't see if packet are dropped like they said in the Bug detail.

But I want also know if the term "Double ACL" is a extended ACL with ip inspect configured on an interface ?

Thank you very much for your help


This Discussion